== what about the validation of legal/illegal licenses of commercial software? ==

+

=FreeBSD=

+

This section describes how to set up a [[FreeBSD]] system as a disk imaging system.

−

I'm sometimes requested by the Courts to process with investigations in order to detect is a company is using software (e.g. AutoCad, MS Office, Adobe) with licenses or not.

+

==Install FreeBSD 6.2 on a new computer==

−

The evidence of such stuff is easy or not. The display of the "About" is sometimes enough but for some software the evidence is not so easy.

+

−

May I propose we open a new section to address such topics?

+

# Boot the FreeBSD 6.2 CDROM

+

# Hit return to boot the Default

+

# Hit return to select "United States" (or choose your country)

+

# Hit down-arrow and hit return to select "standard install"

−

What do you think? --[[User:Chuv|Chuv]] 04:16, 19 July 2007 (PDT)

+

Setting up the partition table:

−

: Sounds like a good idea. How about [[How to determine if software is legally licensed]]? It should probably go in the [[:Category:Howtos]]. [[User:Jessek|Jessek]] 16:11, 19 July 2007 (PDT)

+

# Enter to select "OK." If the geometry is incorrect, enter "OK" to accept.

+

# If there are any partitions, use the up and down arrows to select them and press "d" to delete them.

+

# press "a" to use All of the disk.

+

# press "q" to finish

+

# press the down arrow and hit Enter to select the Standard MBR (no boot manager)

+

Setting up the FreeBSD partitions:

+

# Press "enter" at the OK prompt.

+

# Press "a" for auto-defaults

+

# Press "q" to accept

+

Choosing what to install:

+

# Press the down arrow and Enter to select "all" software

+

# Press Enter at the "yes"

+

# Press the up arrow and press Enter to Exit

+

# Press Enter to select CD/DVD

+

# Press Enter to confirm

−

== Global Directory of Analysts ==

+

FreeBSD 6.2 will be installed. Now you need to configure it.

−

I am setting up a global directory of computer forensics analysts, and am looking for feedback to the idea. Although the directory is in the UK, I want it to be global. Any thoughts, please put them on Computer Forensics [http://www.computer-forensics.co.uk] in the forums section. Thanks and regards, Simon

+

# Press Enter at the OK prompt when installation is complete.

−

: Given the lack of response I'm not sure this is a viable idea. [[User:Jessek|Jessek]] 21:13, 26 February 2007 (PST)

+

# Press [Yes] Enter to configure an Ethernet address.

−

: Doesn't seem like a good idea to me. [[User:Simsong|Simsong]] 18:50, 15 March 2007 (PDT)

+

# Press [Ok] Enter to configure the first ethernet card.

−

: Response is small because the very idea and both sites are not well known within North America. Computer forensics here has been mostly a secondary role rather than a principal focus. To raise awareness of both efforts, this wiki and computer-forensics.co.uk, you need to get their existence promoted in major publications and the primary professional organizations.

+

# Press [No] Enter when asked if you want to configure an IPv6 interface.

+

# Press [Yes] Enter when asked if you want to configure with DHCP.

+

# Press [No] Enter when asked if you want to be a network gateway.

+

# Press [No] Enter when asked if you want to configure inetd.

+

# Press [No] Enter when asked if you want to enable SSH login.

+

# Press [No] Enter when asked if you want to have anonymous FTP.

+

# Press [No] Enter when asked if you want to configure the machine as an NFS server.

+

# Press [No] Enter when asked if you want to configure the machine as an NFS client.

+

# Press [No] Enter when asked if you want to customize the system console settings.

+

# Press [Yes] Enter when asked if you want to set the machine's time zone.

+

# Press [No] Enter when asked if the machine's system clock is in UTC.

+

# Select your region and press [OK] Enter

+

# Select your country and press [OK] Enter

+

# If you are in the US, Select your time zone and press [OK] Enter

+

# Press [Yes] Enter to confirm the time zone.

+

# Select [No] Enter when asked if you need Linux compatibility.

+

# Select [No] Enter when asked if you have a mouse (even if you have one).

+

# Select [No] Enter when asked if you wish to browse the ports collection.

+

# Select [No] Enter when asked if you wish to add any user accounts.

+

# Press [OK] Enter when told you will be setting the Root password

+

# Press [Enter] for the Root password; we will use no password.

+

# Press [Enter] to confirm the empty root password.

+

=Getting Your Forensics Software Working for local analysis=

+

Note that the order you do this matters: SleuthKit won't compile with AFFLIB support unless AFFLIB is installed on your system.

+

# Download and install [[libewf]] if you want EnCase support.

+

# Download and install [[AFFLIB]] from http://www.afflib.org/

+

# Download and install [[SleuthKit]] from http://www.sleuthkit.org/

+

# Download and install [[fiwalk]] from http://www.afflib.org/

−

== List of OS changed files at boot time or poweroff. ==

+

[[Category:Howtos]]

−

+

−

Some times i found useful to know which files are changed on boot time of OS or on poweroff. For example to know what happened with OS ( Windows or Linux or ... ) what files to exclude or include by investigation. So i started collect this information with qemu and mactime. I think this wiki is the best place to post it, what do you think haw should i name it and the category? Also i will thankful if some one can correct my English.

+

−

+

−

I would encourage you to post it at [[Files changed at boot:Windows XP]], [[Files changed at boot:Windows Vista]], and the like. [[User:Simsong|Simsong]] 18:53, 25 October 2007 (PDT)

+

−

+

−

== Anti-forensic Tools Link on Homepage ==

+

−

+

−

The anti-forensic tools link on the homepage of this wiki doesn't appear to go to the proper page, but rather goes to a pro-forensic tools page. Do we have a page just for anti-forensic tools? It would appear to me that the internal link should point to that type of a page rather than one on pro-forensic tools. Thoughts? [[User:Cobalt2020|AEI Forensics]]

+

−

+

−

== Organizing Anti-Forensics and Page Naming query ==

+

−

I've made a start on trying to organize the Anti-Forensics information creating a number of sections including Category:Anti-Forensics. I created a category for Category:Anti-Forensics Tools(uppercase) with out realising there was already a Category:Anti-forensics tools (lowercase). Is there any standardization on whether page titles should be upper or lower case? I would have though upper case being the better option...

+

−

[[User:Fsck|Fsck]] 22:43, 4 July 2008 (UTC)

+

−

+

−

== File Header Page ==

+

−

+

−

Do we have a page on this forensic wiki devoted to File Header information such as specific file header and footer signatures or at least a page of links to known file header compendiums? Do we want one? [[User:Cobalt2020|AEI Forensics]]

+

−

+

−

I've started a weekly posting of forensics research. In my quick review of the other websites that come up when doing a google search for "computer forensics" it seems that nothing is really up-to-date, so perhaps we can start a more active community here. Perhaps this will grow into a blog roll. [[User:Simsong|Simsong]] 23:46, 5 July 2008 (UTC)

+

−

:: What about next Selected Forensics Research? Two months passed without updates [[User:.FUF|.FUF]] 21:10, 17 October 2008 (UTC)

I've written a little SQL statement which will remove the 1100 or so usernames that have been registered but which have never contributed anything and have no talk. This was considered for the mediawiki project but never implemented (weird). Anyway, unless there is a suggestion, I'll go ahead and do it... [[User:Simsong|Simsong]] 05:10, 20 August 2008 (UTC)

+

−

+

−

== Tools table ==

+

−

+

−

Is it possible to add [[Wireshark]] and [[NetworkMiner]] to the Tools table on the Main Page (here: ''Network Forensics: Snort, ... '')? [[User:.FUF|.FUF]] 17:08, 11 September 2008 (UTC)

+

−

: Done [[User:Simsong|Simsong]] 04:40, 12 September 2008 (UTC).

+

−

+

−

== Did you know? ==

+

−

+

−

What about organizing "Did you know?" section with some interesting facts from articles (like in Wikipedia)? [[User:.FUF|.FUF]] 12:34, 29 October 2008 (UTC)

+

−

+

−

== Wiki News ==

+

−

+

−

I have updated the version of SpamBlacklist. [[User:Simsong|Simsong]] 23:49, 30 October 2008 (UTC)

+

−

+

−

I have fixed the server config file so we now get /wiki/ URLs. [[User:Simsong|Simsong]] 20:33, 3 November 2008 (UTC)

+

−

+

−

== Forensics Wiki Mailing List ==

+

−

Hello all. I would like to ask, are there any mailing list focus on forensics? I need reference here. --[[User:Zakiakhmad|Zakiakhmad]] 09:48, 13 March 2009 (UTC)

+

Latest revision as of 13:05, 3 October 2009

FreeBSD

This section describes how to set up a FreeBSD system as a disk imaging system.

Install FreeBSD 6.2 on a new computer

Boot the FreeBSD 6.2 CDROM

Hit return to boot the Default

Hit return to select "United States" (or choose your country)

Hit down-arrow and hit return to select "standard install"

Setting up the partition table:

Enter to select "OK." If the geometry is incorrect, enter "OK" to accept.

If there are any partitions, use the up and down arrows to select them and press "d" to delete them.

press "a" to use All of the disk.

press "q" to finish

press the down arrow and hit Enter to select the Standard MBR (no boot manager)

Setting up the FreeBSD partitions:

Press "enter" at the OK prompt.

Press "a" for auto-defaults

Press "q" to accept

Choosing what to install:

Press the down arrow and Enter to select "all" software

Press Enter at the "yes"

Press the up arrow and press Enter to Exit

Press Enter to select CD/DVD

Press Enter to confirm

FreeBSD 6.2 will be installed. Now you need to configure it.

Press Enter at the OK prompt when installation is complete.

Press [Yes] Enter to configure an Ethernet address.

Press [Ok] Enter to configure the first ethernet card.

Press [No] Enter when asked if you want to configure an IPv6 interface.

Press [Yes] Enter when asked if you want to configure with DHCP.

Press [No] Enter when asked if you want to be a network gateway.

Press [No] Enter when asked if you want to configure inetd.

Press [No] Enter when asked if you want to enable SSH login.

Press [No] Enter when asked if you want to have anonymous FTP.

Press [No] Enter when asked if you want to configure the machine as an NFS server.

Press [No] Enter when asked if you want to configure the machine as an NFS client.

Press [No] Enter when asked if you want to customize the system console settings.

Press [Yes] Enter when asked if you want to set the machine's time zone.

Press [No] Enter when asked if the machine's system clock is in UTC.

Select your region and press [OK] Enter

Select your country and press [OK] Enter

If you are in the US, Select your time zone and press [OK] Enter

Press [Yes] Enter to confirm the time zone.

Select [No] Enter when asked if you need Linux compatibility.

Select [No] Enter when asked if you have a mouse (even if you have one).

Select [No] Enter when asked if you wish to browse the ports collection.

Select [No] Enter when asked if you wish to add any user accounts.

Press [OK] Enter when told you will be setting the Root password

Press [Enter] for the Root password; we will use no password.

Press [Enter] to confirm the empty root password.

Getting Your Forensics Software Working for local analysis

Note that the order you do this matters: SleuthKit won't compile with AFFLIB support unless AFFLIB is installed on your system.